[XPORTER-2959] RCE vulnerability at Scheduled Report - Xblend Issue Tracker

Xporter

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 5.0.0
Fix Version/s: 6.3.4
Component/s: Scheduled Reports, Security
Labels:
- security_vulnerability_critical

Requirement Status:
OK
- 1

Description

A Jira Project Manager can exploit Xporter Scheduled Report by Server-Side Injection - Remote Code Execution. An attacker could create a template with malicious code and change the output file extension before creating the Scheduled Report.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

upload_webshell.mp4
42.81 MB
05/Dec/19 9:07 AM
hello.txt
0.0 kB
02/Mar/20 1:34 PM

Issue Links

is cloned by

XPORTER-3157 RCE vulnerability at Multi-action Workflow Post Function

Closed

mentioned in: Page Loading...; Page Loading...; Page Loading...

Activity

People

Assignee:: Rui Rodrigues

Reporter:: Rui Rodrigues

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 04/Dec/19 2:07 PM

Updated:: 16/Apr/24 2:15 PM

Resolved:: 28/Apr/20 3:41 PM

Time Tracking

Estimated:

Remaining:

Logged:

1d 1h 30m